Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 4 down vote favorite

I have a question I am hoping someone could help with..

I am in the process of writing an SQL Injection tool from scratch (I am aware there are already excellent tools out there such as SQL Map, but this one has to be written from scratch).

The problem I am having:

When manually performing SQL injection to determine tables names or column names and so on using strings such as:

www.vulnerable site.net/articles.php?id =-1 union select 1,2,group_concat(column_name),4 from information_schema.columns --

or

www.vulnarable site.net/articles.php?id =-1 union select 1,2,table_name,4 from information_schema.tables --

it is easy to determine the table names/column names as you can simply look at the page and read the column names that are returned in the page content.

But how can this be done in an automated way?

Doing this in an automated fashion is a lot harder though because how does the tool know what on the page that is returned when the sql injection is executed are table names/column names?

What would be the most reliable way to do this so the tool knows what parts of the page content to extract because they are table names/column names?

for example... could I parse/search the page content for strings seperated by commas to get the table and column names that are output by the injection? Is there better more reliable ways to do it?

your help with this is much appreciated, many thanks

share|improve this question

2 Answers

up vote 3 down vote accepted

The easiest way is to use blind sql injection. You know if the question you are asking is right or wrong depending on how long the query takes to execute. This is also the most flexible approach because a blind sql injection exploit will work regardless of the type of sql injection being exploited (blind, non-blind, select, insert, update, delete....).

Another approach is to try and identify a visible field on the page while you brute force the number of columns. Once you find this location on the page, then you can scrape data from this point (sqlmap does something like this for non-blind injection):

www.vulnerable site.net/articles.php?id =-1 union select 'dsjhfsjhfdf'
www.vulnerable site.net/articles.php?id =-1 union select 'dsjhfsjhfdf','sfjufewjfef'
...

This will work well with MySQL but some database types like postgresql, the columns in the union select must be the same type. So the database will also have to be brute-forced.

share|improve this answer
I agree with your point about blind sql injection being the best/easiest way. However, in this instance I am concentrating on union based injection, so your second suggestion (scraping the data once you have found the location on the page and so on) is the kind of thing I am looking for. Could you explain this a little further as I am a little unsure as to exactly how that would work? thanks for your help – perl-user Apr 25 at 8:27
@perl-user Well finding the content on the page is a technically difficult approach. However, you can use a union select with blind sql injection. Here is an exploit that i wrote which uses a a binary search with blind SQL Injection to pull out bytes using O(log(n)) requests. I use a union select with blind sql injection to find messages in the bin_ask subroutine. Its also multithreaded, which makes it very fast. – Rook Apr 25 at 19:08
Very interesting, I will definately have a look at that, thanks. Could you also tell me a little more about how you said sqlmap does it for non-blind SQL injection please as that method is still something I'm interested in aswell, thanks a lot for your help – perl-user Apr 25 at 19:42
1  
@perl-user If its non-blind injection you should be able to pull out the value of an arbitrary column. One option is to use the concat() function to surround the data that you are pulling out with a unique value. Then just use a regex to pull out the data between the two unique values. Damn simple son, maybe you should actually try solving problems, then you'll be a better problem solver ;) – Rook Apr 25 at 20:16
thanks, the concat_ws() function was what I required. I didn't realise it could be used in that way to effectively print a user defined string to the page as well as the database data, thanks for your help. – perl-user Apr 30 at 15:54
up vote 0 down vote

The easiest way is to access the page with legit input and with the injection and look at the difference. If you know what content is not results and know what the format of the expected result is, it isn't that hard to pick out the details with things like regular expressions or some other parsing engine.

Granted, any other dynamic elements (such as advertisements) that can differ from page load to page load may present a problem that would require a more elaborate plan.

share|improve this answer
Can you think of any ways that would allow me to pinpoint exactly where the returned data is on the page... for example, the data will be exactly between this string and this string, so I can then scrape everything in between these two points? thanks for your help – perl-user Apr 25 at 8:47
@perl-user as long as the source of the page is consistent between page loads, you just load the page normally and then compare one to the other until you get to a spot where it differs. You can then save the offset. If the page content differs from one page load to another, it's going to be a lot trickier and would likely require some manual effort to identify the correct dynamic block of source. – AJ Henderson Apr 25 at 13:10

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.